Information about data protection
The following section contains information about the collection, processing and use of personal data in the context of the whistleblowing system. Please read this privacy information carefully before submitting a report.
Purpose of the whistleblowing system
The whistleblowing system (BKMS® System) is used to receive and process information relating to (alleged) violations of legislation or breaches of internal regulations to the detriment of MAN AG in a secure and confidential way.
Responsible office and data security
The office responsible for the data protection aspect of the whistleblowing system is TRATON SE, Dachauer Straße 641, 80995 München. The whistleblowing system is operated by a specialised company, Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin, Germany, on behalf of TRATON SE.
Personal data and information entered in the whistleblowing system are stored in a database operated by Business Keeper GmbH in a high-security data centre. Only TRATON SE can access the data. Business Keeper GmbH and other third parties do not have access to the data. This is ensured by a certified procedure involving comprehensive technical and organizational measures.
All data are encrypted and stored behind multi-level password protection, which means that access is restricted to a very small group of persons authorized expressly by TRATON SE. In addition, in order to ensure a high level of data protection and data security, a data protection agreement has been concluded between TRATON SE and Business Keeper GmbH.
Type of personal data collected
The whistleblowing system is used on a voluntary basis. You are under no legal or contractual obligation to provide your personal data.
We collect the following personal data and information when you submit a report via the whistleblowing system:
- Your name or/ and private contact and identification data, should you disclose your identity (non-anonymous report)
- Whether you are an employee of the TRATON Group, i.e. professional contact and (professional) organization data, if disclosed by you (non-anonymous report), and, where applicable, the names of persons and other personal data of the persons named in your report.
Confidential treatment of information
Incoming reports are handled by a small group of expressly authorized and specially trained employees of TRATON SE’s GRC department and are always treated confidentially. The employees of GRC Investigation Office check the facts of the matter and may conduct a further case-related investigation. Only these persons have access to the data stored in the whistleblower portal.
Confidentiality cannot be guaranteed if you deliberately submit false information with the aim of discrediting a person (denunciation).
In substantiated individual cases, while processing a report, or as part of an investigation, it may be necessary to share information with other employees of TRATON SE or of other companies affiliated with TRATON SE, e.g. if the information relates to activities in TRATON SE’s subsidiaries. If required by the investigation, information can be shared with TRATON Group subsidiaries in a country outside the European Union or the European Economic Area, based on appropriate data protection guarantees designed to protect those affected (e.g. EU standard data protection clauses or other exceptional derogations according to Art 49 of the GDPR). We always ensure compliance with the relevant data protection provisions in connection with the disclosure of information. If required, the information text provided by you will be passed on to subcontracted partners of Business Keeper GmbH for translation. The data protection agreement concluded with Business Keeper GmbH also applies to these partners, whereby a high degree of data protection and data security is also guaranteed here.
In the event of a corresponding legal obligation or if TRATON SE or a third party has a legitimate interest in investigating the information, further possible categories of recipients are criminal prosecution authorities, antitrust authorities, other administrative authorities, courts as well as international attorneys and auditors engaged by TRATON SE or another Group company affiliated with TRATON SE.
All persons who have access to the data are obliged to maintain confidentiality.
Information of affected person
In certain cases, TRATON SE is obliged by data protection legislation to inform the suspects of the charges made against them. This is a legal requirement in cases where it can be objectively established that the disclosure of information to the suspect can no longer have an adverse effect on the investigation in question. If you disclosed your name or other personal data (non-anonymous report), your identity as a whistleblower will not be disclosed, as far as it is legally possible, and steps will also be taken to ensure that no conclusions can be drawn as to your identity as the whistleblower.
The aforementioned processing activities are justified by the following legal bases:
- Collection, processing and disclosure of your personal data in case of a non-anonymous report: consent to the processing of personal data for one or more specific purposes (Art. 6 Section 1 Lit. a DSGVO).
- Collection, processing and disclosure of personal data of the persons included in your report: For the purposes of safeguarding the legitimate interests pursued by the controller or by a third, party (Art. 6 Section 1 Lit. f DSGVO). It is a legitimate interest of TRATON SE to reveal, process, suppress and sanction violations of the law and severe breaches of duty of employees group wide in an effective manner with a high level of confidentiality to avert damage and liability risks for the TRATON Goup pursuant to §§ 30, 130 OWiG (German Administrative Offences Act). Point 4.1.3 of the German Corporate Governance Code requires the establishment of a whistleblower system to enable employees and third parties to disclose reports on legal violations within the company safely and in an adequate manner.
- Disclosure of personal data in case of non-anonymous report to other recipients: processing is necessary for compliance with a legal obligation (Art. 6 Section 1 Lit. c DSGVO).
Duration of storage of personal data
Personal data will be stored for as long as it is required for the purposes of the investigation and the subsequent assessment, and, in addition, as long as relevant statutory, contractual or statutory retention periods obliges us to store. Once the report has been processed, the data will be deleted or anonymized in accordance with the country-specific legal requirements. In case of anonymization, the reference to your identity as a whistleblower is permanently and irreversibly removed.
Using the whistleblower portal
Encrypted communication and personalized inbox
The communication between your computer and the reporting system is carried out via an encrypted connection (SSL). The IP address of your computer is not stored while using the whistleblowing portal. To maintain the connection between your computer and the BKMS® System, a cookie which contains only the session ID is stored on your computer. The cookie is only valid until the end of your session and becomes invalid when you close the browser.
You have the option of using a self-chosen pseudonym/user name and password to set up a secured postbox in the whistleblowing system. This allows you to send secure messages to the relevant employees of TRATON SE, by name or anonymously. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular email communication.
By using a public PC (e. g. at an internet café) you further protect your anonymity.
Notes on sending attachments
When submitting a report or supplementary information, you have the option of sending attachments to the relevant employees of TRATON SE. If you want to submit a report anonymously, please observe the following security information: Files may contain hidden personal data which might endanger your anonymity. Remove these data before submission. If you are unable to remove these data or are unsure of how to do so, copy the text of the attachment into your report text or send the printed document anonymously (personal data redacted) to the address contained in the footer, quoting the reference number that you receive at the end of the reporting process.
In addition to the right to be informed about the data that relates to you, and the right to have your data rectified, you also have the right to demand erasure and restriction of processing (blocking) of your data collected for the aforementioned purposes as well as the right to data transfer, insofar as there are no legal provisions to the contrary.
Furthermore, there is a right of objection against the processing of data, provided that the processing is based on Art. 6 Section 1 Lit. f DSGVO (legitimate interest).
Furthermore, you have the right to withdraw your consent at any time (in case of a non-anonymous report). Your withdrawal does not affect the lawfulness of the collection and processing of your personal data based on your consent until then.
If necessary, we need to verify your identity before we can process your respective request.
Contact person in case of questions
To withdraw your consent (in case of a non-anonymous report) or to exercise your rights regarding your data, please contact email@example.com or MAN T&B, Bereich FIO, Zentralteam Datenschutz, Dachauer Straße 641, 80995 München.
You can contact the data protection officer of TRATON SE via: TRATON SE, attn. the data protection officer, Dachauer Straße 641, 80995 München.
In case of other questions, please refer to the Investigation Office firstname.lastname@example.org or TRATON SE, Dachauer Straße 641, 80995 München.
You also have the option of contacting a data protection supervisory authority in the event of complaints.